CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 1CVE-2016-5294
https://notcve.org/view.php?id=CVE-2016-5294
The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Mozilla Updater puede ser forzado a escoger un directorio de trabajo objetivo arbitrario para enviar archivos resultantes del proceso de actualización. • http://www.securityfocus.com/bid/94336 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1246972 https://security.gentoo.org/glsa/201701-15 https://www.mozilla.org/security/advisories/mfsa2016-89 https://www.mozilla.org/security/advisories/mfsa2016-90 https://www.mozilla.org/security/advisories/mfsa2016-93 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-5121
https://notcve.org/view.php?id=CVE-2018-5121
Low descenders on some Tibetan characters in several fonts on OS X are clipped when rendered in the addressbar. When used as part of an Internationalized Domain Name (IDN) this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 58. • http://www.securityfocus.com/bid/102786 http://www.securitytracker.com/id/1040270 https://bugzilla.mozilla.org/show_bug.cgi?id=1402368 https://www.mozilla.org/security/advisories/mfsa2018-02 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7836
https://notcve.org/view.php?id=CVE-2017-7836
The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. This vulnerability affects Firefox < 57. • http://www.securityfocus.com/bid/101832 http://www.securitytracker.com/id/1039803 https://bugzilla.mozilla.org/show_bug.cgi?id=1401339 https://www.mozilla.org/security/advisories/mfsa2017-24 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7766
https://notcve.org/view.php?id=CVE-2017-7766
An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Un ataque que emplea la manipulación del contenido de "updater.ini", empleado por Mozilla Windows Updater, y un escalado de privilegios mediante Mozilla Maintenance Service permite la ejecución y eliminación de archivos arbitrarios por parte de Maintenance Service, que tiene acceso privilegiado. • http://www.securityfocus.com/bid/99057 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1342742 https://www.mozilla.org/security/advisories/mfsa2017-15 https://www.mozilla.org/security/advisories/mfsa2017-16 •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-7763
https://notcve.org/view.php?id=CVE-2017-7763
Default fonts on OS X display some Tibetan characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. • http://www.securityfocus.com/bid/99057 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1360309 https://www.mozilla.org/security/advisories/mfsa2017-15 https://www.mozilla.org/security/advisories/mfsa2017-16 https://www.mozilla.org/security/advisories/mfsa2017-17 • CWE-20: Improper Input Validation •